00. Exposing a Currently Active WannaCry Ransomware Domains Portfolio - An OSINT 
Analysis 


We've decided to obtain a publicly obtainable and accessible portfolio of WannaCry C&C 
(Command and Control) servers and attempt to offer practical and actionable threat intelligence 
including cyber attack attribution information for the purpose of assisting the security industry on 
its way to track down and monitor the true botnet masters behind the campaign. 


In this article we'll offer practical and relevant information including actionable intelligence on the 
Internet-connected infrastructure behind the WannaCry ransomware campaign using Maltego in 
combination with WhoisXML API’s vast and in-depth real-time and historical WHOIS database. 


Sample ransomware domain C&C (Command and Control) domain registrant email 
addresses known to have been involved in the campaign: 


ftomio@yahoo[.]Jcom 
novid6666vfqjbggghyyyyyofark@mail[.]ru 
novid6666vfqjbggghofark@maill.]ru 
pinda1g5r5y77@maill.Jcom 
botsmustdie@gmail[.]Jcom 
contact@gitmc[.Jorg 
admmin[.]mihretya@mail[.]com 
iwkitakumgb@yahoo[.]Jcom 
vj11q99hp7qiZi@inbox{.]ru 
iqoption[.]store@mail[.]ru 
rafalskiy[.]83@e-gifts4you[.Jcom 
zb2626022@mvrhit{[.]net 
lon[.Jbin@aol[.]com 
everydomaininplace@mail[.]ru 
vj11q9t9polokai@inbox[.]ru 
evgeny[.]kamyschov@yandex[.]ru 
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domthreefreesite.com kawoyurpyqhm.com bwjbsrswaehue.com  uwdnwijtvjfwiaiupin.com 


Sample ransomware domain C&C (Command and Control) servers known to have been 
involved in the campaign: 


cgvnwyfmh[.]com 
gssbjwhoose[.]com 
b18w187yebsoi[.]Jcom 
hvvflaobcvavhxcvrx[.]com 
eukbhitrjtp[.]com 
aoylllsqinxxrvs[.]com 
ydwaqpuwjpxij[.]Jcom 
samtbqdmwanp[.]Jcom 
tinjahjgsutmdj[.Jcom 
bnmokfrjpylxhvmwx[.]Jcom 
mheaamwwb[.]com 


ovokgnrkbhivynnn[.]com 
bvvimdtiuuceto[.Jcom 
limyhsqxryqauxxcfkc[.]Jcom 
fajsnjrkxqdnuecblmg[.]Jcom 
dqbbdvdqayfhvvv[.]Jcom 
igdonhdghkisinfxvil[.Jcom 
wsajnxcqredi[.]Jcom 
uaseqxra[.]Jcom 
fxejmhvyijoyxjcmly[.Jcom 
csbtxvxo[.]com 
jgibggawcw[.]com 
eobqwmaykyyk[.]Jcom 
mpiknurw[.]com 
upvuyweywb[.]com 
xvvsspqcvuwihdc[.]Jcom 
wrisadfh[.]Jcom 
wmlccribupoplhjteyt[.]Jcom 
otqobichpcl[.]Jcom 
Idyyeaitaqn[.]Jcom 
hvxfiygicrtunxs[.]Jcom 
ifobhuxbpovgjxohnp[.]Jcom 
hfltolixcdquc[.]Jcom 
acgmypwiyhymde[.]com 
baidu[.Jcom 
ijnmdbjgejoflewk[.]Jcom 
oqdmeolksujhud[.]click 
tmoojygvvoibfvocug[.]com 
hkknabxegrfebwmp[.]Jcom 
jliypjygyjkec[.]com 
mqaiktrhxhikoygwi[.]Jcom 
aruwggvopgxpalh|.]eu 
smsyalkclunrd[.]click 
vutptwpxhkgjeqll[.Jclick 
aeetbyamuwbJ[. ]bid 
fmahyrlaklkrseclq[.Jcom 
hvarfqrqddfof[.]bid 
ptfwlavyhrnct[.]Jcom 
wmrsfhcaqspdg[.Jeu 
ju73yehh652te6y[.]Jcom 
ijjsshatuadmd[.Jeu 
bxocmvif[.]Jcom 
xxkdbpcrygynpcwujdx[.]click 
tettcsxxmnnilxwtg[.]com 
rgcakqlu[.]click 


kfupalynvdsbruypx[.]Jcom 
rycvrswhnhygtj[.]bid 
jyortffmmirelhqdmf[.]Jcom 
qaskdhtuinhmmfsbcsu[.]com 
vqewethewii[.]com 
saiuxogkfuj[.Jcom 
qynmkrfl[.]Jcom 
rnfkbasigquaqwao[.]Jcom 
tsuqpjkd[.]Jcom 
qrarxngrqtmioqnawg[.]Jcom 
iwobkqnbkckti[.]Jcom 
h62yeey62tqgshy[.Jcom 
rutmrdutdsynx[.]Jcom 
kpyatdyqtcawoq[.]Jcom 
xyefkhkaqfs[.Jcom 
jcyikvtfdkynmfqmpvil.]com 
vfjbsbxoqgdeayhul[.]Jcom 
cpyyuydoqvdh[.]com 
odvposjpkihv[.]Jcom 
gsxglmcdyxd[.]com 
skhclnfws[.]Jcom 
nojpwfmccnowkp[.]com 
ijqsiskkdy[.]Jcom 
vocxwavkwmll[.]Jcom 
ynjyqtgjpuullsfaw/[.]com 
fpbagtcbmcdcyeu[.]com 
jauybjisqwnoscjtwiu[.Jcom 
sxavjnfrwwrq[.]Jcom 
Imfdaoefn[.Jcom 
uwyarxuxharsm[.]com 
dmfvkcsyddmelo[.]Jcom 
toersratxvnjtsaqdp[.Jcom 
grojjpof[.]Jcom 
usrfyjueaneumgqx[.]Jcom 
naposwogfbi[.]com 
gjvublwgk[.]Jcom 
rgmayedyahatevqyuc[.]Jcom 
swwqmpjpvdbxsjos[.Jcom 
rikbrsqoyjjpb[.Jcom 
yyygshsshssjhsiheush[.]com 
chceogemftwldiucf[.Jcom 
ghnsonrgujyymhvwvg[.]com 
google[.]Jcom 
hshshshsussiiwuwyw{[.]com 


irianyrijlj[.]Jcom 
gacvuwlgsxthte[.]com 
ojrpdqrynxjxcxep[.]Jcom 
ckkxyupextanlvcrdig[.]com 
j7362yhhstwr6 1ki[.Jcom 
fdgbdfoaq[.]Jcom 
mkjwhutycli[.]Jcom 
unpdjyjymnidqv[.Jcom 
cfvvhpilqri[.Jcom 
keekovgflbyhapom[.]com 
jyfilqilh[.Jcom 
ochmemne{[.]Jcom 
rmydloxxpugbyalc[.Jcom 
bsvxaqwgwstggsaad[.]com 
bibcxgoilxejw[.]com 
dejcuwekbybdqvdxax[.]com 
ljewfxhym[.]Jcom 
vnjnoketbygeovrff[.]com 
gpvuowahrsxwnytibuk[.]com 
kegilaojbgxsunye[.]Jcom 
dafnpgrvujrsmjkbkdd[.]com 
tbaieqlxhwdlxp[.]Jcom 
havciiqgbaf[.]Jcom 
jrxhklatqmgh[.Jcom 
ngbclncfxjdsmmribt[.Jcom 
hjxrlogjgyapjk[.Jcom 
ehbplfdefjinylvld[.Jcom 
qihksfkx[.Jcom 
dsdbwncsbdgrptrmt[.Jcom 
sxkallpiiknswi[.]com 
kofeydncog[.]com 
enkxctjh[.]Jcom 
guaevvaxrujnobfytud[.Jcom 
wkoebopguwyjoinyubl[.]Jcom 
aujastmvehxqmlbb[.]com 
toxprxithlakdnoiav[.]Jcom 
nqnydiniuvyxs[.]Jcom 
vkjqhghdfxdmf[.]com 
cdmjnwect[.Jcom 
eofvvdkbs[.]com 
twdqbwjwoygiwanqqb[.]com 
dqemqcbxgofddopclb[.Jcom 
kxixhbnaim[.]Jcom 
jnoqbdaw[.]Jcom 


ylqdywitywgeoxqfcax[.Jcom 
acpjdcdkveempfmhs[.]Jcom 
tpmmmhgg[.]Jcom 
ryoeeebqqbigfm[.]Jcom 
augustabilisation[.Jcom 


Related ransomware domains known to have participated in the campaign and are 
currently in operation using the same domain registrant email addressess: 


rrcccphsaoye[.]Jcom 
sjvishymfmbmtyrvry[.]Jcom 
rradcacnnoc[.]Jcom 
uaseqxra[.]Jcom 
xauylcgoqijqfmck[.]Jcom 
tpaubbtkjjgiverk[.]Jcom 
ludvoxybkooeiyfmcb[.]Jcom 
wsajnxcqredi[.]Jcom 
aebirkyvqmk[.]com 
echrepdvcd[.]com 
hfltolixcdquc[.]com 
dqemqcbxgofddopclb[.Jcom 
fkovkvdmupunethwtg[.]com 
ggcfksuyghejmnpe[.]Jcom 
hfhiixbkvbkk[.]com 
ijnmdbjgejoflewk[.]Jcom 
pnhdqitkumbyhqyrtqi[.]Jcom 
psxfljiwmxgnnag[.]Jcom 
rnybnenkcfvpfpqc[.Jcom 
xxockvkwmaiigrv[.]Jcom 
emvgfshkhldeyou[.]com 
wwmpetrwryslk[.]Jcom 
udbqsimre[.]Jcom 
dikorrtundbuov[.]com 
mfvgfeqskjbdvgbk[.]Jcom 
shmhmhfmnxvr[.]com 
redirect-pendakas[.]Jcom 
panderasik[.]Jcom 
fpbagtcbmcdcyeu[.]com 
real-time-chat[.]su 
gsxglmcdyxd[.]com 
erwijyiyasbvfey[.]com 
Inbkjtineroxhd[.]Jcom 
elptuelny[.Jcom 
gojmwuuvmpf[.]com 


bmoqgnuyxdvtnnjnfL.Jcom 
saqjrigopkuins[.]com 
emvgfshkhldeyou[.]com 
kbvvvcomkgdhat[.]Jcom 
wwmpetrwryslk[.]Jcom 
rrcccphsaoye[.]com 
xqfqftrtkdxdi[.]Jcom 
slcdnbhpclwtokt[.Jcom 
yntwugycoqqchtuf[.]Jcom 
dxIrhalgceu[.]Jcom 
akihabarastst[.]Jcom 
akihabaraastt[.]com 
advnjlgxwpp[.]Jcom 
ijqsiskkdy[.]Jcom 
igypwmddmvlcpmti[.]com 
vkaisyssaikqxpsb[.]com 
gcgyxdkpl[.Jcom 
xqrugamfsyrvpynexi[.]Jcom 
uacujgnkrqpmjiwfb[.Jcom 
qwplvisnjturjnwoab[.Jcom 
rnybnenkcfvpfpqc[.Jcom 
xyqrydep[.Jcom 
xxockvkwmaiigrv[.]Jcom 
yglofncpiwrhdemv[.]com 
qynmkrfl[.]com 
mwbsgpeaty[.]Jcom 
drppnhmaivkocfkbpwa[.]com 
pvalavol[.Jcom 
real-time-chat[.]su 
ynjyqtgjpuullsfaw/[.]com 
gsxglmcdyxd[.]com 
aebirkyvqmk[.]com 
echrepdvcd[.]Jcom 
hfltolixcdquc[.]com 
oqdmeolksujhud[.]click 
wsajnxcqredi[.Jcom 
fpbagtcbmcdcyeu[.]com 
sjvishymfmbmtyrvry[.]Jcom 
rradcacnnoc[.]com 
uaseqxra[.]Jcom 
uwdnwijtvjfwfaiupin[.Jcom 
wiilpplshq[.]Jcom 
bwjbsrswaehue[.]com 
xauylcgoqijqfmck[.]Jcom 


kawoyurpvqhm[.Jcom 
tpaubbtkjjgiverk[.]Jcom 
domthreefreesite[.]Jcom 
jmwrboefbrhresaekn[.]com 
jjnwinkc[.]Jcom 
pizdavamjaposhki[.]com 
cwnbpprxkvbvotaq[.]com 
jxkskvaor[.]Jcom 
jgibggawcw[.]com 
rfprukfsdf[.]com 
ludvoxybkooeiyfmcb[.]com 
augustabilisation[.Jcom 
mfqiugrume[.]Jcom 
newvoluum[.]Jcom 
redirect-pendakas[.]Jcom 
panderasik[.]com 
qaskdhtuinhmmfsbcsu[.]com 
elptuelny[.Jcom 
gojmwuuvmpf[.]com 
bmoqgnuyxdvtnnjnfL.Jcom 
saqjrigokuins[.]com 
udbqsimre[.]Jcom 
dikorrtundbuov[.]com 
mfvgfeqskjbdvgbk[.]Jcom 
hmhmhfmnxvr[.Jcom 


Sample malicious and fraudulent MD5s known to have participated in the campaign: 


fSa0fb2a7caa7a052647c81 70c1a39dbdc772730c9069373b612345bd124622e 
f5d6a1eb0a72c3a4a446f4ba297f2ab5ec185a72600621 3f583ddfa95742fafc 
e928f0bedcf2d2b2deb64d59660a85285d36e238293ab6a8a0 1 4a4fd60240abe 
5c74f0be 1ec68220be491d2097 2fad07ce3dcd059f72501b597385fdb9b304cf 
21a83bc977 780bbf1251 ed86fce1f50f8ce9d82 1 4f09bbc5e4b8673b60ef389e 
€979987834dfd269b01 bc7b8b4c8893fcbe 1fc4d0b79799ad954d93870a14be9 
ddf300327e429 15cf5626d5fa389766028eace4 395b20f6ed523e843b8f942c7a 
22465d69056b65fa5 1bc42513d1e8157d4f71cb0413b462b9c34e1f1c6195e1f 
15c8cfc80d01d03353e3746da7e800e1b791fa59e863a0e54 1 2650c2970f5687 
fa46893d81dOcaf8f037697d65 11 d2a6ac8badbf733022ee38a4d3c86ab7 abfa 
f7d28fa1e7b728b9b5fc444575bec68ac4 1488b43 1191288b2c1af94077439ca 
e€03c90058cba1f74276fc44e28c8 1 Zafl 3c3cb6e4 1 Bfcaf9398b4ef9a024943a 
44bedc8d56cf0500481f2e1 75be0d87654edf85ff9003ef1 514907 18c059b772 
acc57/bcaffe9ddda6f097 3b2efac42e4af1e2311839804b7081904adab226e49 
af19edf1aa583d0384 110b98b76achSdaeeab8f1 427cedf4c22729842bff66b1 
af9624cc149d9f5f1d57052ec1362e30e207a758fe7d31e7ce83fbc0908b3042 


429f1840a18a5c509487 73b63c9f076c5e24e37 1ff56e2813d0704a69a9ccad2 
b18b0e1302bfa6cad723c35ca98985824 8efdf7 29 1 2da44da90ecfdab38ccObe 
b378755ae87b9a4feb9a8940ec0a02211043ff4 3ff1 2e00fb027375c28f7caeb 
d3e224c1281048e367d5604 98f69f68d292a655 733e2ddd4cea99cf8842de1 2d 
62cf11439fc6db5df3922c35c3bf7eb4df089fa74d36ae4596e652faf0a03b58 
fe892188103e7 160085d6ce0e8d5355b9b1 90f4 cebf23000e88ad 11859543c4 1 
b3dbeeae22d070551 23ed15be994 16a93F783914e575329e7al 2bal baf3c72d9 
b3d169b52dd14b8 126bb6af1011e49f1 734b8331cac48ceb386986000f8225e7 
A40bddda8cfb2e3b947c54e7295d60d62fdb7ce0e9b0593607340f5b2ca323769 
01b57627ffcceed33cc4b0336f59656c4a9f1 7cb9870b0fad3eec1f2dc295585 
ea877639f118c4756b1d3bc436347082e4ceaab4e69f5a4c28ac3f0416210222 
57adba8dea8bd0eb8dab7a2e77a52823b60b6062df64c7 7af0f5bfd7eafb542c 
a0fa7f51ccc22758db6956 1 53df2ced91 90980a1 e6f33080f27 0f7ae9b3188e1 
67b08a01a0d74857d5cf3ce1f9c74ff288cd40d 187c9c02fc31ebc15d5f410b0 
a136637e02c645e1 eeff4361395e685fcc9ac8d20687 22ac6f6f6260885533ca 
652abfb459e9d6a05bdda4fa482e6aaaac01 5d68cf5cef880b8cf8040b8ca0dd 
49d868552b108b370ff00c738dbeb963f27e15d188ea3d4a367af3d19b9cee96 
a/5c5339fdfd2f26491 53d3a7fff48bc4a4 786b20fab4bf062691 82442de0ab8 
a6e0640fa/76e8338fada84d6be7d64e6407d29fd277 75f2bad8b3a7fb3c08eec 
jaae50f2beba1 5b912331 7ebcb113735f0c543a28fedfa8318ca010adb5d8ac4 
471e411494ceea1634aa7489ca579bff4c1 a9c315b44c5484e3e30080fbf4391 
567 196ac39670f67c7af20491 5ae4 1aca9b25ce6de90ea0168c1 e9bfded661d7 
a8170f7b1eefd823af69669f7f2a8fcbd81 1b3f61844df895cb39886d5037d51 
6681b275869f1 a9ff80c9aa5d74c0d665 105921 fd1dd3fee8382072b3167d742 
634438cebeb6bb 1cf72feec06a4db3082940d493abbc1 c045b340dba0e245569 
42237 52fd2b8af103bf7d22745e12549ad38d44c4d3935afdd4b80b3877949ce 
add5d1b4d686d8af3ae108154ee4d60b57ecc395aee20a721bc1cdd1a46bc84e 
431 ebf39e7e4b6d9948858490ac9f5b4539 1e1d060641 3dfe6a94a7ba9edcaad 
bOcf501f816d7d317228e38842873b9a196d4d1f6095868fbe1a157d3e1e477b 
a54d5b2eeb35f65c0a76051e287 11995106f8cc296e836e6 1801310cb52f348d 
b1f0692072037b48a2a3752afd028d03faa418797a572765b21a9c50387c8fd8 
a5d79d48c8dd707abc97 754e9553ad 7a0d1a02f042f2098c43932669ed7cd615 
a/2f4ec974bb1a8e8939962975727 bf0039dc279 1 ffbcf599be8d3ee7 1614581 
564225f993995a0f7c3db79c03764aa5c2d8a92a3b10d365547 15c2c91 7b0f33 
633568b6a3a037f4565100498c1e97d07327dc1c44ce1fd71eefac76e72443c5 
A40afc4d1b02721c6c24b722034d042948abfda5674bf4639dcbf838442 1e6996 
b44d3c7b11901 834bdff1d2bc6 14bc9401353328529737bf525dbd60dbe5e053 
b4e5a9ec7466afaa9ae86b386a4 7743062fa51 8ac4f9af3715e5ac46ada47a3e 
11bf145258aa2a39d7ce0afba030ef8efe4b9 1652e0eb0abcc4b58845b94b00d 
b52412403fb8664e3fd23bfc2581f6dc51cb898 1 8c7faa52b1a928d0a26c6eae 
b51f5bd7e934e55b2 1558325e46cffd2838e598c7 5eab776ead2dcfcd521944c 
710a5800ff33027dc1666526b296d2338fb77e44f955486ec59b700851 9694 1d 
213a1972f31 be99a8facf1 8df2f7bO6df7b1ed423c4ff73b5a7 14b68c61ada99 
a10bd77a06886b72a268c15700346273351 b96dbd0bf26c8020316760d05a2b9 


a3cb499d11df0f17b344d24859e44d331b3a2897 c8eaef4f748d507f6eebb097 
a446895380d078687 28bf23f93e64b052028ec0f8fdOff4 1e8ecOaedd58ac4e9 
a4e89971ea45149ca95107f1a57611bbec1 2Zad6chcca4c840519df92fd78dad3 
a59e663b14d91 ecfd3c1ededd3e8dea799a4 5cbf8808e754b1 38d6f7ac7/0b6af 
47624985b79314597e7 15997 1bdc9df67093c04749bf040cfb3536589881 af60 
4753a1b00522f4965addf258ab649304a28c1 4e89c5e21 e4fe9c85f73d99f4f0 
aaffdea4 9f9dd7f00 1d85c50292c83934a287b74b30ba67e0ce1 26b50c377c6e 
ab9beeb5267744e62901 77c922ae34adedeffa1094c99bcO09bf4f5f9 11dfec58 
4517ff57ada354cd8 1baeed4651e97 2fff77 1141d0b8f849ab8026e9c46f838e 
8b87e13de1243c8e5f396404bd97c0f4b1 4f1c25c11 bdbd1c4dbbcdc206e096c 
3cee28ef52c59c99b841c6927f5085e483523cb8b606ff9ce5d60b3c1 3574545 
bd751b7f81ac37 3feeeff1 ddcd766436a03b7d606138569b/7a7e40a087c67423 
9b8361e24ca52a3bbcc358c283e1d98722eda4c88a60e7ec31 cOf27fdf8f109e 
a5b1fafb584555a5ebc1 fe93d9d46467 22a86b/a66ea804b68d31a2e57f44655 
4c0c0b05bd6502c5c724acc3545ad5/7c556b23575a0c896e5ebd898d7d4e72b6 
3b2450ffa3aee 7fabf8ed63ad61d1 7f27fe69acefae4c83ca435008d8ba3fb5b 
179be61f630ff8afa8d7c8e62df9588123397b02d05396a53945782ba1656701 
9ce412d43679dad6a70860e796535165b62a410b7b59401013721 2fd384b2fcf 
713deab3fc7915e1 2f79cc863f115b45f8ac28 15b6c8a59a4491820c346c0d6e 
df343c17b93724353a586aed 3fde3ef951 a0cf75b1efead54bd800bb16494b950 
4f56fae8be9642ac9eb2d743b1 36cb9acb6b8b8a88aicd4359ea1 bd804f724eea 
276266b76765a54 7663b91 b3c819e01 8b0e0f9757 9a7 0dd1 5da14bd7a201 bd92 
5135d85fda95e31ce21b09c097613953 16ee07 7f338ab96fed 7631 d2df22fa61 
87c1c01 9ffdeO95bb3b2e8f03e8fd1 084357099 1f7325c1033169fe288d975e7 
ae39bb89911ee4e91e5d4bc7c7f788892f3c02784b2cf63d1 ffa9e33867f36a2 
4508841 f23d73a3bfeb2cb9bb48658a34652654a5c22f9b521 9e58 1 7b888e220 
b159f660c87d07a97 18351 deffb308 106a8394eb2fbb 1 cd2bc988906980d8853 
5676654bc55667 0ef4ed5f8ef5f62bee9 738f57 c8ddd542b1e7b14cf8562a5fc 
42247d968d1 ebfd7a66b370dc3062000f4296b6 706c7f7d76d10c249861b72cf 
10dc747a33fe 1f8093b3c32eb1e2a724d171cf9a7d8d0eb6821 258863464 3dfd 
449f5ac9c6e3684c14a2a6367f3b89c130e44c94edcb5d7ec1862e08fa521885 
ad728ef9684f1 af5a08f28583fbc62c4 70c6a6966f2d53aat5/72569ed67 15011 
afe0c3d544 1d68581ec4119b43d831a1e3da562f1 799a27bad7f1539f970324d 
b0O8f88bb3a0676714156aa1d86fc37b2598fce4eef84b1 b1 Oc29fd4f9bbf7 4 
b0b36e347c97 13a6228a7855414bf943c5ecf1224bd87595b6254b724f92b22d 
418e42b1f430b563fbe6cce8ca64 7cd672b0c70a5b2e22ee78baa05/7bbec1 f7F9 
dd3853e4040c21d097e99d89526e7c92c9cda56 1db6cbd5015d2149f73a40152 
71df30de9426dbc1e57b0926bd7 bcadOf0cf0b55785bbfef903295 74c24f1 765 
6e79681c836558c05e0aac34dbe373e2abb935cc71ea9b1b11a917fc40a7142b 
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